How to Audit ISO 27001 Control 8.20: Network Security

Q: 1. Network Security Policy Formalisation Verified

Verification Criteria: A documented policy exists defining the security requirements for network management, including baseline configurations and restricted protocols. Required Evidence: Approved Network Security Policy or Infrastructure Hardening Standard with explicit version control.

Q: 2. Network Segmentation and Segregation Confirmed

Verification Criteria: Technical controls (VLANs, Subnets, or Micro-segmentation) separate the network into logical zones based on sensitivity and function (e.g., DMZ, Corporate, Guest). Required Evidence: Current network topology diagram and firewall configuration logs showing active traffic isolation between zones.

Q: 3. Restricted Use of Insecure Protocols Validated

Verification Criteria: Legacy or insecure protocols (e.g., Telnet, FTP, HTTP, SMBv1) are disabled across all network devices in favour of secure alternatives (SSH, SFTP, HTTPS). Required Evidence: Port scan results (Nmap) or device configuration exports showing specific port closures.

Q: 4. Network Device Hardening Consistency Verified

Verification Criteria: Routers, switches, and firewalls are hardened according to an established baseline, including the removal of default credentials and unused services. Required Evidence: Hardening checklist sign-offs or configuration comparison reports against CIS Benchmarks.

Q: 5. Encryption for Data in Transit Confirmed

Verification Criteria: Technical controls enforce the encryption of data traversing public or untrusted networks using modern protocols (TLS 1.2+ or IPsec VPNs). Required Evidence: SSL/TLS certificate reports and VPN configuration settings for remote access and site-to-site tunnels.

Q: 6. Intrusion Detection and Prevention (IDS/IPS) Presence Validated

Verification Criteria: Active monitoring and prevention systems are deployed at network boundaries to detect and block malicious traffic patterns. Required Evidence: IDS/IPS dashboard screenshots and recent alert logs showing blocked attack signatures.

Q: 7. Remote Access Security Enforcement Confirmed

Verification Criteria: All remote network access is authenticated via Multi-Factor Authentication (MFA) and restricted to managed or authorised endpoints. Required Evidence: VPN configuration logs and MFA provider reports showing 100% enforcement for remote users.

Q: 8. Firewall Rule Base Integrity Verified

Verification Criteria: Firewall rules follow the "Deny All" principle, with only specifically authorised traffic permitted via the rule base. Required Evidence: Firewall rule base export showing a "Cleanup" rule (Deny Any/Any) at the bottom of the list.

Q: 9. Network Management Tool Access Restricted

Verification Criteria: Access to network management consoles and monitoring tools is restricted to authorised IT personnel using dedicated administrative accounts. Required Evidence: Access Control Lists (ACLs) for management subnets and RBAC logs from the network management platform.

Q: 10. Wireless Network Security Validated

Verification Criteria: Corporate wireless networks use robust authentication (e.g., WPA3 or WPA2-Enterprise with 802.1X) to prevent unauthorised association. Required Evidence: Wireless Controller (WLC) configuration showing the authentication method and active client certificates.

Auditing ISO 27001 Annex A 8.20 Network Security is the technical verification of infrastructure hardening and traffic segregation protocols. The Primary Implementation Requirement is the logical separation of network zones and encryption of data in transit, providing the Business Benefit of preventing lateral movement and ensuring secure communications integrity.

ISO 27001 Annex A 8.20 Network Security Audit Checklist

This technical verification tool is designed for lead auditors to establish the security posture of network infrastructure and data in transit. Use this checklist to validate compliance with ISO 27001 Annex A 8.20.

1. Network Security Policy Formalisation Verified

Verification Criteria: A documented policy exists defining the security requirements for network management, including baseline configurations and restricted protocols.

Required Evidence: Approved Network Security Policy or Infrastructure Hardening Standard with explicit version control.

Pass/Fail Test: If the organisation cannot produce a formal policy specifying the mandatory security controls for network equipment, mark as Non-Compliant.

2. Network Segmentation and Segregation Confirmed

Verification Criteria: Technical controls (VLANs, Subnets, or Micro-segmentation) separate the network into logical zones based on sensitivity and function (e.g., DMZ, Corporate, Guest).

Required Evidence: Current network topology diagram and firewall configuration logs showing active traffic isolation between zones.

Pass/Fail Test: If the Guest Wi-Fi or a low-security zone has direct, unfirewalled routing to the production database environment, mark as Non-Compliant.

3. Restricted Use of Insecure Protocols Validated

Verification Criteria: Legacy or insecure protocols (e.g., Telnet, FTP, HTTP, SMBv1) are disabled across all network devices in favour of secure alternatives (SSH, SFTP, HTTPS).

Required Evidence: Port scan results (Nmap) or device configuration exports showing specific port closures.

Pass/Fail Test: If any network management interface is accessible via unencrypted Telnet or HTTP, mark as Non-Compliant.

4. Network Device Hardening Consistency Verified

Verification Criteria: Routers, switches, and firewalls are hardened according to an established baseline, including the removal of default credentials and unused services.

Required Evidence: Hardening checklist sign-offs or configuration comparison reports against CIS Benchmarks.

Pass/Fail Test: If a sampled network switch is found running with factory-default administrative credentials, mark as Non-Compliant.

5. Encryption for Data in Transit Confirmed

Verification Criteria: Technical controls enforce the encryption of data traversing public or untrusted networks using modern protocols (TLS 1.2+ or IPsec VPNs).

Required Evidence: SSL/TLS certificate reports and VPN configuration settings for remote access and site-to-site tunnels.

Pass/Fail Test: If sensitive data is transmitted over the internet via plain-text protocols without a VPN or TLS wrapping, mark as Non-Compliant.

6. Intrusion Detection and Prevention (IDS/IPS) Presence Validated

Verification Criteria: Active monitoring and prevention systems are deployed at network boundaries to detect and block malicious traffic patterns.

Required Evidence: IDS/IPS dashboard screenshots and recent alert logs showing blocked attack signatures.

Pass/Fail Test: If the network perimeter lacks automated detection for common exploit patterns (e.g., SQL injection or brute force), mark as Non-Compliant.

7. Remote Access Security Enforcement Confirmed

Verification Criteria: All remote network access is authenticated via Multi-Factor Authentication (MFA) and restricted to managed or authorised endpoints.

Required Evidence: VPN configuration logs and MFA provider reports showing 100% enforcement for remote users.

Pass/Fail Test: If a user can establish a remote network connection (VPN) using only a single-factor password, mark as Non-Compliant.

8. Firewall Rule Base Integrity Verified

Verification Criteria: Firewall rules follow the “Deny All” principle, with only specifically authorised traffic permitted via the rule base.

Required Evidence: Firewall rule base export showing a “Cleanup” rule (Deny Any/Any) at the bottom of the list.

Pass/Fail Test: If the firewall contains “Any/Any” permit rules or has not undergone a formal rule review in the last 12 months, mark as Non-Compliant.

9. Network Management Tool Access Restricted

Verification Criteria: Access to network management consoles and monitoring tools is restricted to authorised IT personnel using dedicated administrative accounts.

Required Evidence: Access Control Lists (ACLs) for management subnets and RBAC logs from the network management platform.

Pass/Fail Test: If the network management interface (e.g., GUI/SSH) is accessible from the general staff VLAN or Guest network, mark as Non-Compliant.

10. Wireless Network Security Validated

Verification Criteria: Corporate wireless networks use robust authentication (e.g., WPA3 or WPA2-Enterprise with 802.1X) to prevent unauthorised association.

Required Evidence: Wireless Controller (WLC) configuration showing the authentication method and active client certificates.

Pass/Fail Test: If the corporate Wi-Fi relies on a shared Pre-Shared Key (PSK) rather than individual user/device certificates, mark as Non-Compliant.

Control Requirement	The ‘Checkbox Compliance’ Trap	The Reality Check
Segmentation	Tool marks “Pass” because a VLAN list is uploaded.	Verify Inter-VLAN Routing. If VLANs exist but the firewall allows all traffic between them, segmentation is a failure.
Encryption in Transit	SaaS tool identifies “SSL Certificate” on the website.	Verify Cipher Suites. The auditor must check for support of weak ciphers (e.g., 3DES, RC4) that the tool ignores.
Firewall Management	Platform records “Firewall Policy” exists.	Verify Shadow Rules. Automated tools rarely identify rules that are technically active but redundant or insecurely ordered.
Remote Access	GRC tool assumes MFA is active on the VPN.	Check Legacy Protocols. Verify that RADIUS or LDAP bypasses haven’t left a “backdoor” for single-factor login.
Device Hardening	Tool identifies “Firmware is Up to Date”.	Check Unused Services. A patched router can still have insecure defaults (e.g., SNMP v1/v2 enabled with ‘public’ community strings).
IDS/IPS Efficacy	Platform shows the software is “Active”.	Verify Action Mode. Many tools are in “Detection Only” mode. If it doesn’t Prevent, it’s only half a control.
Wi-Fi Security	Tool records “WPA2” as the standard.	Verify PSK Rotation. If the organisation uses PSK, when was it last changed? GRC tools never check the password age.

About the author

Stuart Barker

ISO 27001 Ninja

Stuart Barker is a veteran practitioner with over 30 years of experience in systems security and risk management. Holding an MSc in Software and Systems Security, he combines academic rigor with extensive operational experience, including a decade leading Data Governance for General Electric (GE).

As a qualified ISO 27001 Lead Auditor, Stuart possesses distinct insight into the specific evidence standards required by certification bodies. His toolkits represent an auditor-verified methodology designed to minimise operational friction while guaranteeing compliance.

Cookie	Duration	Description
cookielawinfo-checkbox-advertisement	1 year	Set by the GDPR Cookie Consent plugin, this cookie records the user consent for the cookies in the "Advertisement" category.
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
wp_woocommerce_session_*	2 days	WooCommerce sets this cookie to make a unique code for each customer so that it knows where to find the cart data in the database for each one.
yith_wcmcs_currency	7 days	Required for currency conversion.
__stripe_mid	1 year	Stripe sets this cookie to process payments.
__stripe_sid	1 hour	Stripe sets this cookie to process payments.

Cookie	Duration	Description
yt-player-headers-readable	never	The yt-player-headers-readable cookie is used by YouTube to store user preferences related to video playback and interface, enhancing the user's viewing experience.
yt-remote-cast-available	session	The yt-remote-cast-available cookie is used to store the user's preferences regarding whether casting is available on their YouTube video player.
yt-remote-cast-installed	session	The yt-remote-cast-installed cookie is used to store the user's video player preferences using embedded YouTube video.
yt-remote-connected-devices	never	YouTube sets this cookie to store the user's video preferences using embedded YouTube videos.
yt-remote-device-id	never	YouTube sets this cookie to store the user's video preferences using embedded YouTube videos.
yt-remote-fast-check-period	session	The yt-remote-fast-check-period cookie is used by YouTube to store the user's video player preferences for embedded YouTube videos.
yt-remote-session-app	session	The yt-remote-session-app cookie is used by YouTube to store user preferences and information about the interface of the embedded YouTube video player.
yt-remote-session-name	session	The yt-remote-session-name cookie is used by YouTube to store the user's video player preferences using embedded YouTube video.
ytidb::LAST_RESULT_ENTRY_KEY	never	The cookie ytidb::LAST_RESULT_ENTRY_KEY is used by YouTube to store the last search result entry that was clicked by the user. This information is used to improve the user experience by providing more relevant search results in the future.

Cookie	Duration	Description
sbjs_current	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_current_add	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_first	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_first_add	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_migrations	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_session	1 hour	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_udata	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.

Cookie	Duration	Description
PREF	8 months	PREF cookie is set by Youtube to store user preferences like language, format of search results and other customizations for YouTube Videos embedded in different sites.
VISITOR_INFO1_LIVE	6 months	YouTube sets this cookie to measure bandwidth, determining whether the user gets the new or old player interface.
VISITOR_PRIVACY_METADATA	6 months	YouTube sets this cookie to store the user's cookie consent state for the current domain.
YSC	session	Youtube sets this cookie to track the views of embedded videos on Youtube pages.
yt.innertube::nextId	never	YouTube sets this cookie to register a unique ID to store data on what videos from YouTube the user has seen.
yt.innertube::requests	never	YouTube sets this cookie to register a unique ID to store data on what videos from YouTube the user has seen.

Cookie	Duration	Description
m	1 year 1 month 4 days	No description available.
_monsterinsights_uj	1 year	Description is currently not available.